Modify ↓
Opened 14 years ago
Last modified 4 years ago
#6152 new defect
User can modify members for other modules
| Reported by: | Owned by: | Ryan J Ollos | |
|---|---|---|---|
| Priority: | highest | Component: | SvnAuthzAdminPlugin |
| Severity: | critical | Keywords: | |
| Cc: | Trac Release: | 0.11 |
Description (last modified by )
If:
- User is authenticated against a project (projA)
- User has TRAC_ADMIN Access for projA
- User enters a path for another project with the following structure:
http://svn/<trac_context>/projA/admin/subversion/svnauthz/editpath/projB%3A/
- User adds a path member to
/->axton
Then member axton will have access to module:path
Attachments (0)
Change History (7)
comment:1 Changed 14 years ago by
| Description: | modified (diff) |
|---|
comment:2 Changed 14 years ago by
comment:3 Changed 14 years ago by
| Cc: | Ryan J Ollos added; anonymous removed |
|---|
comment:4 Changed 10 years ago by
| Owner: | changed from Kis Gergely to Ryan J Ollos |
|---|---|
| Status: | new → assigned |
comment:6 Changed 4 years ago by
| Cc: | Ryan J Ollos removed |
|---|
comment:7 Changed 4 years ago by
| Status: | assigned → new |
|---|
Note: See
TracTickets for help on using
tickets.
That is so because the user needs TRAC_ADMIN permission to use this module and that implies that he or she has VERSIONCONTROL_ADMIN permission.
To avoid this problem I've patched this module to allow it's use with the SVNAUTHZ_ADMIN permission, removing the need to have TRAC_ADMIN permission to be able to edit the file.
My patch is attached to the ticket #7493 (attachment:ticket:7493:svnauthadmin_permission.diff).